Hi, I am having problem in my website,how can i put security like the sitepoint did...because when i am going click anywhere in my page if the user have installed the firebug they can see what are my parameters.but i found out that sitepoint page cannot be seen when we navigate to other page and we use the firebug to see what happening in the page but i did not see parameters.Can anyone tell me how to do like sitepoint that our parameter will not be seen using firebug.

Hi, I am having problem in my website,how can i put security like the sitepoint did...because when i am going click anywhere in my page if the user have installed the firebug they can see what are my parameters.but i found out that sitepoint page cannot be seen when we navigate to other page and we use the firebug to see what happening in the page but i did not see parameters.Can anyone tell me how to do like sitepoint that our parameter will not be seen using firebug.

please help me sitepoint people.

Thank you in advance.

Hi,

I'm not sure all the things sitepoint does to hide parameters. However, they likely store state data in the database using php sessions. These are stored on the server-side and given parameters are retrieved using database queries you will not see these using firebug or other profiling tools.

Using sessions isn't automatically secure but it is more secure than post or get data.

There are a number of attack vectors associated with Sessions. [Session Hijacking, [URL="http://shiflett.org/articles/session-fixation"]Session Fixation. Another thing to do other than safeguarding these attacks is[URL="http://shiflett.org/articles/storing-sessions-in-a-database"] storing sessions in the database](http://shiflett.org/articles/session-hijacking)

Sessions are unsafe is you just store a player account ID and let them access their account assuming that is really the person logged in. But what I like to do is store the user id AND their password in a session, and then at the top of every controlled page in an include, authenticate their username/password in the database. After setting that up, I can add any other non-sensitive site preferences I want to the session. Its a pain having to constantly add new DB fields for every variable I want to track, adding them to the include file for loading into variables from the db etc... So definitely I like the convenience of session as long as I validate the account.

ServerStorm said:

Hi Jemz,

There are a number of attack vectors associated with Sessions. [Session Hijacking, [URL="http://shiflett.org/articles/session-fixation"]Session Fixation. Another thing to do other than safeguarding these attacks is[URL="http://shiflett.org/articles/storing-sessions-in-a-database"] storing sessions in the database](http://shiflett.org/articles/session-hijacking)